You must use Windows PowerShell 3.0 commands to export and copy the certificates between farms. After the certificates are exported and copied, you can use either Windows PowerShell 3.0 commands or Central Administration to manage the trusts within the farm.

The instructions here assume the following criteria:

That the servers that are used for these procedures are running Windows PowerShell 3.0.

That the administrator will select and use the same server in each farm for all steps in the process.

If User Account Control (UAC) is turned on, you must run the Windows PowerShell 3.0 commands with elevated privileges.

Because SharePoint 2013 runs as websites in Internet Information Services (IIS), administrators and users depend on the accessibility features that browsers provide. SharePoint 2013 supports the accessibility features of supported browsers. For more information, see the following resources:

An administrator of the consuming farm must provide two trust certificates to the publishing farm: a root certificate and a security token service (STS) certificate. An administrator of the publishing farm must provide a root certificate to the consuming farm.

You can only export and copy certificates by using Windows PowerShell 3.0.

To export the root certificate from the consuming farm

On a server that is running SharePoint 2013 on the consuming farm, verify that you have the following memberships:

securityadmin fixed server role on the SQL Server instance.

db_owner fixed database role on all databases that are to be updated.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

Add memberships that are required beyond the minimums above.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

Add memberships that are required beyond the minimums above.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

On a server that is running SharePoint 2013 on the publishing farm, verify that you have the following memberships:

securityadmin fixed server role on the SQL Server instance.

db_owner fixed database role on all databases that are to be updated.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

Add memberships that are required beyond the minimums above.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

To establish trust on the consuming farm, you must import the root certificate that was copied from the publisher farm and create a trusted root authority.

To import the root certificate and create a trusted root authority on the consuming farm

Verify that you have the following memberships:

securityadmin fixed server role on the SQL Server instance.

db_owner fixed database role on all databases that are to be updated.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

Add memberships that are required beyond the minimums above.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

To establish trust on the publishing farm, you must import the root certificate that was copied from the consuming farm and create a trusted root authority. You must then import the STS certificate that was copied from the consuming farm and create a trusted service token issuer.

To import the root certificate and create a trusted root authority on the publishing farm

Verify that you have the following memberships:

securityadmin fixed server role on the SQL Server instance.

db_owner fixed database role on all databases that are to be updated.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

Add memberships that are required beyond the minimums above.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

<C:\ConsumingFarmRoot.cer> is the name and location of the root certificate that you copied to the publishing farm from the consuming farm.

<ConsumingFarm> is a unique name that identifies the consuming farm. Each trusted root authority must have a unique name.

To import the STS certificate and create a trusted service token issuer on the publishing farm

Verify that you have the following memberships:

securityadmin fixed server role on the SQL Server instance.

db_owner fixed database role on all databases that are to be updated.

Administrators group on the server on which you are running the Windows PowerShell cmdlets.

Add memberships that are required beyond the minimums above.

An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint 2013 cmdlets.

Note:

If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about Windows PowerShell permissions, see Add-SPShellAdmin.

You can manage trusts on a farm only after the relevant certificates have already been exported and copied to the farm.

To establish trust by using Central Administration

Verify that the user account that is performing this procedure is a member of the Farm Administrators SharePoint group.

On the SharePoint Central Administration website, click Security.

On the Security page, in the General Security section, click Manage trust.

On the Trust Relationship page, on the ribbon, click New.

On the Establish Trust Relationship page:

Supply a name that describes the purpose of the trust relationship.

Browse to and select the Root Authority Certificate for the trust relationship. This must be the Root Authority Certificate that was exported from the other farm by using Windows PowerShell, as described in Exporting and copying certificates.

If you are performing this task on the publishing farm, select the check box for Provide Trust Relationship. Type in a descriptive name for the token issuer and browse to and select the STS certificate that was copied from the consuming farm, as described in Exporting and copying certificates.

Click OK.

After a trust relationship is established, you can modify the Token Issuer description or the certificates that are used by clicking the trust, and then clicking Edit. You can delete a trust by clicking it, and then clicking Delete.